GP-013 Risk management
Procedure flowchart
Purpose
To describe the procedure to control and establish the risk management of our medical devices, from its conception throughout design, development, placing into the market and post-market phase (along its life cycle), to guarantee patient safety and remove or minimise risks as much as possible.
Scope
All medical devices developed by us and all processes involved in the product's life cycle.
Responsibilities
JD-001
To approve the risk management plan and procedure.
JD-004
To prepare the risk management plan and procedure in order to develop the risk management, and record the risk analysis and the risk management report.
JD-003
To request the risk management report and evaluate it together with the JD-005
the JD-004
.
JD-005
To develop and review the risk management, perform the risk analysis and evaluate the benefit/risk ratio of the risks detected.
Inputs
UNE-EN ISO 14971:2020
Regulation (EU) 2017/745 MDR
ISO/TR 24971:2020
- Preclinical and clinical data.
- Risks know and foreseeable.
- Monitoring and measurements of incidents.
- Information collected from PMS and PMCF.
Outputs
T-013-001 Risk management plan
T-013-002 Risk management record
T-013-003 Risk management report
- Risk acceptability.
- Acceptability of the benefit-risk ratio, included within the
T-013-003 Risk management report
.
Development
One risk universe, three lenses
Although this procedure aims at assessing clinical or patient safety hazards and hazardous situations leading to harms in accordance with UNE-EN ISO 14971:2020
, we understand one unified risk universe viewed through three complementary lenses:
- Safety (ISO 14971 / ISO/TR 24971): clinical or patient safety hazards and hazardous situations leading to harms. Likelihood term is probability of harm given exposure.
- Usability & Human Factors (ISO 62366 + FDA HF guidance): use scenarios and potential use errors that initiate or modify sequences of events. HF validation (summative) provides empirical evidence to refine probability estimates and identify latent use errors.
- Cybersecurity (IEC 81001-5-1 + FDA 2023 Cybersecurity Guidance): threat, vulnerability and exploitability producing or amplifying hazardous situations. The likelihood construct differs: we focus on exploitability (E) of a reachable attack surface, not a direct clinical probability; exploitability then propagates into clinical probability via altered exposure, inducement of use error, or system performance degradation. Cyber risks can:
- Create new clinical hazardous situations (e.g. corrupted diagnostic data, integrity loss).
- Increase exposure frequency (e.g. denial-of-service causing repeated retries, workflow stress).
- Induce or amplify use errors (e.g. confusing UI states after partial compromise).
- Escalate severity (e.g. delayed or incorrect treatment decisions due to manipulated outputs).
ISO 14971 explicitly permits using the same risk-management process for data and systems security risks in medical devices, which is why cybersecurity is integrated into a unified table rather than handled in a separate record.
All three lenses feed a shared causal chain so security threat modeling outputs and HF summative test findings trace directly into the safety risk management file (no parallel silos).
Chain of events
The following chain of events model unifies safety, usability and cybersecurity analyses, identifying a Initiator, an Exposure an Event and an Impact:
- ▣Usability & Human Factors (ISO 62366 + FDA HF guidance)
- ▣Safety (ISO 14971 / ISO/TR 24971)
- ▣Cybersecurity (IEC 81001-5-1 + FDA 2023 Cybersecurity Guidance)
However, a more comprehensive approach considers the interplay between these domains:
This lets HF summative tests and cyber threat models plug into the same causal path used for traditional safety risk analysis.
Risk management policy
In this section, we clarify the roles and responsibilities of our senior management and our staff in the risk management process. We also describe the context for risk management as part of the overall system of internal controls and arrangements, outlining the main principles behind the risk management framework. Furthermore, we explain how acceptable risks are determined and define our criteria for risk acceptability.
Risk acceptability criteria
With the goal of providing a framework that ensures that criteria are based upon applicable national or regional regulations and relevant international standards, and taking into account available information such as the generally acknowledged state of the art and known stakeholder concerns, we define our criteria for risk acceptability.
The risk acceptability is based on an analysis of the probability of the occurrence of the harm (P) and the severity of the harm (S) in case that the patient or user is exposed to a hazard.
Severity (S)
The severity values are calculated according to the following table:
Score | Impact | Severity of product and client | Effect |
---|---|---|---|
5 | Critical | Damage or nuisance capable of causing serious damage to the health of the user or breach of commitments or essential requirements. | Loss or degradation of primary function or death and / or non-compliance with requirements. |
4 | Serious | Harm or nuisance capable of causing severe or significant harm to the user or non-compliance with QMS capable of endangering compliance with essential and non-essential commitments or requirements. | Permanent impairment or irreversible injury and / or minor non-conformities that may lead to direct non-compliance with requirements or lack of evidence |
3 | Major | Damage or nuisance capable of causing minor or slight damage to the user or non-compliance with QMS capable of endangering compliance with non-essential requirements. | Injury or impairment requiring medical or surgical intervention and / or minor non-conformities that may lead to direct non-compliance with requirements or lack of evidence |
2 | Minor | Nuisance in the absence of danger to the user or small errors in the manufacturer's QMS that does not jeopardize compliance with requirements. | Temporary injury or impairment not requiring medical or surgical intervention and / or non-conformities of regulatory requirements |
1 | Negligible | No discernible effect or detriment to the ability to meet requirements | Inconvenience or temporary discomfort |
Probability (P)
The overall probability of harm (P) is calculated as the product of two distinct components:
Where:
- = Probability of occurrence of the hazardous situation
- = Probability of the hazardous situation leading to harm
P1: Probability of Occurrence of the Hazardous Situation
This represents how likely it is that the hazardous situation will occur during use of the device.
Score | Probability | Frequency Range | Meaning |
---|---|---|---|
5 | Frequent | 1 - 1/10 | The hazardous situation is very likely to occur; expected to happen in more than 10% of cases or uses. |
4 | Probable | 1/10 - 1/100 | The hazardous situation is probable to occur; expected to happen in 1-10% of cases or uses. |
3 | Occasional | 1/100 - 1/1000 | The hazardous situation may occur occasionally; expected to happen in 0.1-1% of cases or uses. |
2 | Remote | 1/1000 - 1/10000 | The hazardous situation is unlikely but possible; expected to happen in 0.01-0.1% of cases or uses. |
1 | Improbable | 0 - 1/10000 | The hazardous situation is highly improbable but not impossible; expected to happen in less than 0.01% of cases or uses. |
P2: Probability of Hazardous Situation Leading to Harm
This represents the conditional probability that, given the hazardous situation has occurred, it will result in actual harm to the patient.
Score | Value for Our Device | Rationale |
---|---|---|
1 | Always 1 | Our software is a diagnostic support tool that aids healthcare professionals in diagnosis. It does not directly touch or interact with patients physically. Therefore, it cannot directly cause harm through physical interaction. Any harm pathway is indirect. |
For diagnostic support software that does not directly interact with patients:
- The device cannot directly cause physical harm
- If a hazardous situation occurs (e.g., incorrect diagnostic information), the probability that this situation can lead to harm (through indirect pathways such as clinical decision-making) is 1 (100%)
- However, the actual harm depends on (how often the hazardous situation occurs) and other factors in the clinical pathway
This means:
Therefore, when calculating RPN (Risk Priority Number)
Detectability (D)
When the probability of occurrence of harm cannot be estimated, the probability will be assigned in terms of detectability.
The detectability can be estimated according to the following table:
Score | Detectability | Meaning |
---|---|---|
5 | Almost Certain | Detection probability <100%. Potential hazard will almost certainly be detected |
4 | High | Detection probability <80%. High chance that potential hazard will be detected |
3 | Moderate | Detection probability <50%. Moderate chance that potential hazard will be detected |
2 | Low | Detection probability <25%. Low chance that potential hazard will be detected |
1 | Remote | Detection probability <10%. Very remote chance that potential hazard will be detected |
Exploitability (E)
Exploitability refers to the ease with which a potential hazard can be exploited or turned into an actual harm. It takes into account the existing vulnerabilities and the likelihood of an attacker successfully exploiting them.
Score | Exploitability | Meaning |
---|---|---|
5 | Almost Certain | Exploitability <100%. Potential hazard will almost certainly be exploited |
4 | High | Exploitability <80%. High chance that potential hazard will be exploited |
3 | Moderate | Exploitability <50%. Moderate chance that potential hazard will be exploited |
2 | Low | Exploitability <25%. Low chance that potential hazard will be exploited |
1 | Remote | Exploitability <10%. Very remote chance that potential hazard will be exploited |
Approach to risk control
In general terms, we pursue a strategy of reducing risk as far as possible without adversely affecting the benefit-risk ratio. This is our general approach to risk control. However, certain risks may require an approach based on reducing risk as low as reasonably practicable, or even reducing risk as low as reasonably achievable, due to the nature of the risk.
Our top management reviews the suitability of the risk management process in the management review meetings to ensure continuing effectiveness of the risk management process.
Risk acceptability
For each identified hazardous situation, we decide the risk reduction measure based on its risk level. To quantify this, we use the RPN (Risk Priority Number).
The complete formula for RPN is
where:
- = Probability of occurrence of the hazardous situation
- = Probability of the hazardous situation leading to harm
- = Severity of harm
However, for our diagnostic support software, P2 is always equal to 1 because the device aids in diagnosis and does not directly touch or interact with patients. Since the software cannot directly cause harm to patients, the probability that a hazardous situation leads to harm through direct device interaction is always 1 (meaning the harm pathway is solely through the occurrence of the hazardous situation, not through a direct physical interaction).
Therefore, for our device:
As seen in the R-TF-013-002 Risk mangement record
of every device, the risk estimation is the product of the severity multiplied by the probability (P1), ranging from 0 to 25. These values of probability and severity are based on technical previous experience, the state of the art and the foreseeable subjective evaluation.
As a restult, we establish three ranges of acceptability, depending on the RPN.
RPN | Acceptability |
---|---|
From 0 to 5 | Acceptable: the risk is acceptable |
From 6 to 12 | As far as possible (AFAP): only acceptable if accompanied by minimization actions. |
From 13 to 25 | Not acceptable: a benefit-risk analysis is required. |
This results in the following matrix:
PROBABILITY OF OCURRENCE | 5 | Acceptable | As far as possible | Not acceptable | Not acceptable | Not acceptable | |||||
---|---|---|---|---|---|---|---|---|---|---|---|
4 | Acceptable | As far as possible | As far as possible | Not acceptable | Not acceptable | ||||||
3 | Acceptable | As far as possible | As far as possible | As far as possible | Not acceptable | ||||||
2 | Acceptable | Acceptable | As far as possible | As far as possible | As far as possible | ||||||
1 | Acceptable | Acceptable | Acceptable | Acceptable | Acceptable | ||||||
1 | 2 | 3 | 4 | 5 | |||||||
SEVERITY OF HARM |
Evaluation and criteria for individual benefit-risk acceptability and the overall residual risk
The method to evaluate the criteria for individual benefit-risk acceptability and the overall residual risk considers the clinical benefits provided by the performance of the intended use of the medical device.
The individual residual risk acceptance follows the same criteria as the one established for the general risks, and it is indicated in the following table, and it is detailed at the corresponding R-TF-013-002 Risk management record
PROBABILITY OF OCURRENCE | FREQUENT | 5 | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | |||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
PROBABLE | 4 | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | ||||||
OCCASIONAL | 3 | Acceptable | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | ||||||
REMOTE | 2 | Acceptable | Acceptable | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | ||||||
IMPROBABLE | 1 | Acceptable | Acceptable | Acceptable | Acceptable | Acceptable | ||||||
1 | 2 | 3 | 4 | 5 | ||||||||
NEGLIGIBLE | MINOR | MAJOR | SERIOUS | CRITICAL | ||||||||
SEVERITY |
Moreover, we use experts to support the evaluation of the overall residual risk, taking into consideration each of the individual residual risks, in relation to the benefits expected from the medical device under consideration. These experts have knowledge and experience with similar medical devices.
The global benefit-risk ratio is based on general acceptability of the product and evidenced by the R-TF-015-003 Clinical evaluation report (CER)
and periodically revised and re-validated as shown in the Clinical Evaluation Plan (R-TF-015-001 Clinical evaluation plan (CEP)
), or when new hazards are identified and they require assessment and evaluation.
A visual representation, in form of a chart, of each of the residual risks is also used, giving a graphic view of the distribution of the risks. If many of the risks are in the higher severity regions or in the higher probability regions of the risk matrix, then the distribution of the risks can indicate that the overall residual risk might not be acceptable, even if each individual risk has been judged acceptable.
The results of the evaluation of the overall residual risk are documented in the R-TF-013-002 Risk Management Record
.
Principles and governance
Our risk management approach reflects the following principles:
- Ensuring patient safety
- Addressing both value protection and value creation
- Ensuring that roles and responsibilities are explicit and clear
- Ensuring that the process for managing risk is fit for purpose
- Ensuring compliance with the applicable regulatory requirements
- Ensuring safety, performance and effectiveness of the medical device
And will be embedded in our governance structures as follows:
- Our top management is the responsible for the risk management policy and for making sure of the implementation of the policy.
- The top management is also responsible for defining a sound system of internal control that supports the achievement of policies, aims and objectives while safeguarding the public.
- If and when the corporate structure changes, the organisation will ensure that the top management continues to lead and take responsability for the commitment to risk management.
Commitment to risk management
Top management has the responsibility to establish and maintain an effective risk management process. We are commited to implementing an integrated risk management system in line with international reference standards, namely UNE-EN ISO 14971:2020
, and guided by the following principles:
- Leadership of management: our management will provide the necessary resources and ensure that the organization works in accordance with these principles.
- Integration in management processes, especially those related to strategy and planning.
- Comprehensive and harmonized management, so that all risks are managed through a common process for identification, evaluation, and treatment.
- Continuous improvement, through periodic reviews of the management framework.
General requirements for our risk management system
Risk management process
We establish, implement, document and maintain a continuous process throughout the product lifecycle to identify the hazards and hazardous situations related to the medical device, estimate and evaluate the associated risks, control these risks, and monitor the effectiveness of the risk control measures. This process must include:
- Risk analysis
- Risk evaluation
- Risk control
- Production and post-production data
The risk management process will be integrated in all the procedures established at this QMS, especially GP-004 Vigilance System
, GP-006 Non-conformities. Corrective and preventive actions
, GP-007 Post-Market Surveillance
and GP-014 Feedback and complaints
.
We develop a risk management system based on the standard UNE-EN ISO 14971:2020
.
Management responsibilities
The top management of the company:
- Ensures the availability of adequate resources, including the assignment of competent personnel, for risk management.
- Defines and documents the global risk acceptability criteria mentioned in this procedure.
- Checks the adequacy of the risk management process at planned intervals to ensure continuing effectiveness of the process (
GP-002 Quality planning
). Any decisions and actions taken will be documented in theT-002-004 Management review report
.
Competence of staff
Staff involved in risk management will have sufficient experience, skills and knowledge to carry out the assigned tasks. The working team responsibilities will be documented in the corresponding T-005-001 Job description
and they also will be described at the T-013-001 Risk management plan
. Each T-013-002 Risk management record
will be edited and reviewed by the people with the greatest knowledge and experience depending on the case, in relation to their knowledge of technologies, regulatory requirements, formation and others.
It is the responsibility of the JD-001
to select the responsible of each task, which are documented in each T-013-002 Risk management record
, showing the name and signature of the responsible individuals.
Risk management plan
Risk management team
The risk management team establishes and documents a T-013-001 Risk management plan
.
To be part of the team, it is necessary to meet the following conditions:
- To have received specific training in the application of the risk management procedure according to the applicable regulations (MDR 2017/745 and ISO 14971),
- &/or deep knowledge of the product, the manufacturing or development process, the analysis and test methods used, and basic knowledge in the medical device requirements (ISO 13485).
The team performing the risk mangement must be comprised by persons with knowledge and experience of not just risk management, but also with knowledge on the medical device, technologies involved and its use.
The responsibilities are defined at the corresponding T-005-001 Job description
and the qualification for each of the components is registered in the T-005-002 Personnel card
.
Risk management plan content
The minimum essential content of the T-013-001 Risk management plan
, which will be reviewed every year, is:
- Scope: description of the risk management purpose and activities, identifying and describing the medical device and the life cycle phases.
- Terms and definitions: description of the most important concepts related to risk management.
- Assignment of responsibilities and authorities.
- Requirements for the review of the risk management activities.
- Criteria for risk acceptability.
- Evaluation and criteria for acceptability of the overall residual risk.
- Verification activities for the implementation and effectiveness of risk control measures.
- Collection and review of relevant production and post-market information.
- Planning of the risk management activities: relationship among the phases of the product's life cycle, the risk management activities and the related documentation.
The risk management process will be established in each phase of the product's life cycle, according to each step defined in this procedure.
Risk management record
The compnay establishes and maintains a Risk management record (T-013-002) according to the applicable requirements.
The T-013-003 Risk management record
considers the following types of risks:
- Requirements risks (user, technical and regulatory)
- Product risks
- Processes risks
- Infrastructure risks
- Personnel training risks
- Safety and security characteristics (according to Annex A & F of the UNE-EN ISO 24971:2019)
Each record contains, at least:
- Hazards and hazardous situations
- Type of risk
- Risk analysis (estimation):
- Foreseeable sequence of events
- Harms
- Risks
- Parts/people affected
- Potential causes/mechanisms of failure
- Initial risk evaluation
- Severity (S) identification
- Probability (P) identification, distinguishing:
- : Probability of occurrence of the hazardous situation
- : Probability of the hazardous situation leading to harm
- Note: For our diagnostic support software, is always documented as 1 because the device aids in diagnosis and does not directly touch or interact with patients, meaning it cannot directly cause harm
- P (combined): = Overall probability of harm (effectively for our device since = 1)
- RPN (Risk Priority Number) = (combined) =
- Risk control
- Control method selected option (according to UNE-EN ISO 14971:2020)
- Inherently safe design and manufacture
- Protective measures in the medical device itself or in the manufacturing process
- Information for safety and, where appropriate, training to users
- Implanted mitigation measures
- Responsible
- Implemented control measures verification
- Control method selected option (according to UNE-EN ISO 14971:2020)
- Evaluation of overall residual risk
- Severity and probability identification
- RPN (Risk Priority Number)
- Risk level, according to the cover of each
T-013-002 Risk management record
and/or the product'sT-013-001 Risk management plan
, its acceptability and risk level matrices:- Acceptable
- AFAP (“As Far As Possible”). Review required, acceptable with current risk minimization measures.
- Unacceptable
- Risk acceptability, according to cover of each
T-013-002 Risk management record
and/or the product'sT-013-001 Risk management plan
, its acceptability and risk level matrices:- Yes, acceptable
- Pending, it is required a risk minimization action
- No, unacceptable
- Risk minimization for residual risk:
- Control method selected option (according to UNE-EN ISO 14971:2020)
- Inherently safe design and manufacture
- Protective measures in the medical device itself or in the manufacturing process
- Information for safety and, where appropriate, training to users
- Control method based on the combination of some or all the previous.
- Additional control measures
- Control method selected option (according to UNE-EN ISO 14971:2020)
- Assessment of risks arising from risk control measures
- Yes
- No
- Acceptability of the individual benefit-risk ratio
- Clinical validation tracking (when applicable):
- Identification as Safety Objective (Yes/No)
- P1 observed during clinical studies
- Date of clinical validation
- Reference to clinical study or report
The risk acceptability value for residual risks is documented in the correponding section of this procedure, and it will be based on a specific matrix where the harm probability and severity are related.
Residual risks identified as Safety Objectives require additional fields for clinical validation tracking. These fields allow comparison between estimated probability (P1) and observed clinical occurrence rates, ensuring continuous validation of risk assessments through real-world evidence.
In case of having more than one product, we will identify the specific product as part of the file name. For example, for product 1 and product 2, the name of the files will be:
- TF-R-013-002_Risk Management Record_Product 1 name_YYYY_nnn
- TF-R-013-002_Risk Management Record_Product 2 name_YYYY_nnn
Currently, we only develop and manufacture a single product.
The T-013-002 Risk management records
will have a color code to identify:
- Risk level
- Risk acceptability
- Benefit-risk analysis
These colors are:
- Red color: unacceptable.
- Yellow color: AFAP (As Far As Possible), acceptable with current risk minimization measures.
- Green color: acceptable.
Risk analysis
Risk analysis process
The risk analysis process must be done for each medical device, specifying the risk directly associated with each product and the related processes.
The risk analysis plan consists in:
- Description of the product and its intended use (Technical File and Risk Management Plan).
- Identification of known and foreseeable hazards (Risk Management Records).
- Risk estimation for each hazard (Risk Management Records).
The people involved in each risk analysis record are named at the signature meaning section, identifying the responsibility and assigned task.
Finally, each responsible signs the document according to GP-001 Documents and records control
.
Intended use and reasonably foreseeable misuse
The medical device intended use is documented in the Technical File and in the T-013-001 Risk management plan
considering the intended medical indication, the patient population, the user profile, the use environment and the operating principle.
Likewise, the company documents the product reasonably foreseeable misuse in the T-013-002 Risk management record
.
Identification of characteristics related to safety
The qualitative and quantitative characteristics that could affect the safety of the medical device and, when applicable, the limits of these characteristics are documented in the Technical File T-013-003 Risk management report
.
Identification of hazards and hazardous situations
The identification of known and foreseeable hazards based on the intended use, the reasonably foreseeable misuse and the characteristics related to safety of the medical device, is documented in each T-013-002 Risk management record
, in the column named “HAZARD AND HAZARDOUS SITUATION”, under normal conditions of use and failure conditions.
It will be based on a previous analysis documented in the T-013-001 Risk management plan
.
Risk estimation
For each identified hazardous situation, we estimate the associated risk value using the rationale and the formula explained in the Risk Management Policy section. The risk estimation is registered for each risk at the T-013-002 Risk management record
.
Risk evaluation
Risk level
For each identified hazardous situation, we decide the risk reduction needed based on its risk level. We define the risk level using the rationale and the formula explained in the Risk Management Policy section. This information will be registered in the T-013-001 Risk management plan
and in the glossary of each T-013-002 Risk management Record
.
Risk acceptability
We define the risk level using the rationale and the formula explained in the Risk Management Policy section.
Risk control
Risk mitigation
When a risk reduction is required, the following actions to mitigate or eliminate the risk developed should be taken.
Risk control option
To reduce the risks to an acceptable level, we determine a set of risk control measures that may be appropiate for each risk. In order of priority, the actions to be taken must be grouped as:
- Inherently safe design and manufacture or intrinsically safe design and construction as defined on Annex A of the standard
UNE-CEN ISO/TR 24971:2020
: to eliminate a particular hazard, reduce the probability of occurrence of the harm or reduce the severity of the harm. This includes improvements of the characteristics such as precision, reliability, automation of stages prone to mistakes, ease of use, or others. We apply a FMEA (Failure Mode and Effects Analysis) method to identify steps to prevent nonconforming products. - Protective measures in the medical device or in the manufacturing process: if improvements in the manufacturing process are not feasible, additional controls may be required, such as inspection of input materials, in-process testing, reference materials to ensure metrological traceability, or final testing.
As well as that, we also consider:
- Information for safety and, where appropriate, training to users, such as instructions, warnings and other specific information (descriptive means).
Information for safety is not a control option, since chapter III of annex I of MDR 2017/745 specifies that users must be informed about residual risks, so additional risk reduction should not be attributed to the information provided to users (annex A of the standard UNE-CEN ISO/TR 24971:2020
).
Verification activities
Regarding verification activities, two different verifications activities are required by the harmonized standard UNE-EN ISO 14971:2020
. The main differences between them are explained in this table:
Verification of Implementation of Risk Control Measures | Verification of Effectiveness of Risk Control Measures | |
---|---|---|
Definition | Confirm that the risk control has been implemented as specified in the design. | Confirm that the risk control actually reduces the identified risk to an acceptable level. |
Relevant Standard (ISO 14971) | Clause 6.2 (Risk control measures implementation) Clause 7.1 (Verification of implementation) | Clause 7.3 (Evaluation of residual risk) Clause 8 (Risk control effectiveness) |
Evidence Types | - Design documents - Traceability matrix - Unit/integration test reports - Code reviews | Validation protocols or results: • Usability Report • CER • Post-Market surveillance |
Timing | Phase 4 | Phase 5 and Post market |
Relation to Risk Management File | Confirms control is present in the system per risk management plan | Confirms residual risk is reduced and justifiable per risk-benefit analysis |
The evidence for verification of implementation and effectiveness of risk control measures are collected in the R-TF-013-002 Risk Management Record
, in the columns named “Implanted mitigation measure”, and also in the column "Verification of control measure" which is documented by the responsible of verifying the activity.
Verification of implementation of risk control measures
Confirm that the risk control has been implemented as specified in the design. This is done in the Phase 4 of the design.
Verification of effectiveness of risk control measures
Confirm that the risk control actually reduces the identified risk to an acceptable level. This is done in Phase 5 of the design and during the post-market.
Residual risk evaluation
Individual residual risks are evaluated by the same method and with the same criteria for risk acceptability as the initial risks. The residual risk is either acceptable or unacceptable. It specifies the new probability and severity (after the verification of the measures), corresponding to the latter residual risk assessment.
The measures are verified in relation to their effectiveness evaluating their new probability value. Typically, the severity value is considered the same than it was originally, except in concrete cases:
- When the risk responsible considers that it was assessed an extremely low value in old versions.
- When the measures taken can actually minimize the related hazard.
As a general principle, the control and minimization measures are orientated towards reducing the probability, but only in certain cases it will possible to reduce the harm severity, if it appears. When this assessment obtains an unacceptable value, we take minimization measures to reduce the risks to acceptable levels, update the actions and repeat the process of actions control.
The residual risks that should be known by the user are incorporated into the documentation provided to the user together with the product.
Benefit-risk analysis
We carry out an assessment of the global benefit-risk analysis, documenting it in the T-013-003 Risk management report
.
Additionally, in order to analyze each individual risk according to annex A of the standard UNE-CEN ISO/TR 24971:2020
, at the T-013-002 Risk Management Record
we evaluate the acceptability of clinical benefit in comparison with their risks at the end of each risk.
Each risk documented in the T-013-002 Risk Management Record
will be assessed in relation to the previous experience, the state of the art, the harmonized standards, and the preclinical and clinical data.
Each individual risk will be analyzed in comparison with the benefit-risk ratio acceptability matrix, developed in the T-013-001 Risk management plan
, analyzing its specific probability, severity and resultant risk value.
Benefit-risk acceptability
PROBABILITY OF OCURRENCE | FREQUENT | 5 | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | |||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
PROBABLE | 4 | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | ||||||
OCCASIONAL | 3 | Acceptable | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | ||||||
REMOTE | 2 | Acceptable | Acceptable | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | ||||||
IMPROBABLE | 1 | Acceptable | Acceptable | Acceptable | Acceptable | Acceptable | ||||||
1 | 2 | 3 | 4 | 5 | ||||||||
NEGLIGIBLE | MINOR | MAJOR | SERIOUS | CRITICAL | ||||||||
SEVERITY |
Risk acceptability or rejection criterion
- No, unacceptable
- Pending, it is required a risk minimization action
- Yes, acceptable
Risk resulting from control actions
The effects of the risk control measures should be reviewed in relation to:
- The introduction of new hazards or hazardous situations.
- If the estimated risks for previously identified hazardous situations are affected by the introduction of the risk control measures.
The new risks will be managed according to the process defined in this document. When a new risk appears, the responsible creates a new entry in the T-013-002 Risk Management Record
, creating a new version of the record. The new entry will have as initial probability the same value than the previous one had as “RESIDUAL RISK EVALUATION”. When the current action has not been verified, it is moved to the new entry of the record with the same action, and initial probability, for the required action verification.
Completeness of risk control
We ensure that all the risks derived from all the identified hazards are being considered. At each T-013-002 Risk Management Record
, hazards and hazardous situations with their foreseeable sequence of events, harms, risks, parts/people affected and potential causes/mechanisms of failure, in every case.
The risk control measures are documented in the T-013-002 Risk Management Record
, in the columns “IMPLANTED MITIGATION MEASURES” and “IMPLEMENTED CONTROL MEASURES VERIFICATION” (when they have been verified).
Evaluation of overall residual risk
After the implementation of the actions, and their verification, we decide if the risks are acceptable regarding the values defined in the T-013-001 Risk management plan
.
The acceptability of the risks is related to the benefit-risk ratio. A product with a clear benefit in relation to its risks will have greater acceptable value; on the contrary, a product with a low relationship should be analyzed with a more restrictive level of acceptability.
The T-013-002 Risk Management Record
show the acceptability of the risk, assessing the RPN value and benefit-risk ratio, as "acceptable", "as far as possible (AFAP)" or "not acceptable".
When the risk level is classified as AFAP, the acceptability is conditioned to a minimization measure in place. According to the risk level matrix and the benefit-risk ratio acceptability matrix, its acceptability depends on values of probability, severity and RPN (combination of them).
For the residual risks that are considered acceptable, it will be necessary to decide which residual risks to reveal and to include in the documentation for clients (IFUs, labels and any other document related to the medical device that contains technical specifications or other when it is aimed to the customers communication).
Risk management review
Before the product commercialization, we make a review of the risk management process, guaranteeing that at least:
- The Risk Management Plan has been appropriately executed.
- The overall residual risk is acceptable.
- Appropriate methods are in place to collect and review relevant production and post-production information.
This review is documented at the T-013-003 Risk management report
, that must contain the following information:
- Reference to the risk analysis plan.
- Records of risk analysis performed.
- Risk evaluation.
- The overall residual risk evaluation
- Implementation and verification of established control methods
- Assessment of the acceptability of possible residual risks.
The T-013-003 Risk management report
will be reviewed annually, when a new hazard is identified or when a known hazard requires the redesign of control actions. The document will be edited, revised and approved by the responsible people specified in the document itself.
Safety Objectives for Clinical Evaluation
Definition and Purpose
Safety Objectives are specific residual risks identified in the risk management file that require monitoring and validation during clinical studies. These objectives serve as a bridge between risk assessment predictions and real-world clinical evidence, ensuring that the estimated probabilities align with observed clinical outcomes.
Integration with Clinical Evaluation Plan (CEP)
Safety Objectives must be documented in the Clinical Evaluation Plan (T-015-001 Clinical evaluation plan (CEP)
) and include:
- Identification of residual risks requiring clinical validation: Each Safety Objective corresponds to a specific residual risk from the
T-013-002 Risk management record
- Predicted probability values (P1): The estimated probability of occurrence from the risk analysis
- Monitoring methodology: How the occurrence will be tracked during clinical studies
- Acceptance criteria: Thresholds for determining if observed probabilities align with predictions
Validation Process
During clinical evaluation, each Safety Objective undergoes validation through:
- Data Collection: Systematic recording of occurrences during clinical studies
- Probability Comparison: Analysis of P1 (estimated) versus P1 (observed)
- Risk File Update: Adjustment of probability values if significant deviations are found
- Benefit-Risk Re-evaluation: Assessment of whether the overall benefit-risk ratio remains acceptable
Example
For the residual risk "Misrepresentation of magnitude returned by the device (R-HBD)":
- P1 (estimated): 1/1000 (Remote, Score 2)
- Clinical monitoring: Track all instances where device measurements differ from reference standards
- Validation: Confirm that observed occurrence rate in clinical studies aligns with the P1 estimation
Documentation Requirements
The results of Safety Objectives validation must be documented in:
T-015-003 Clinical evaluation report (CER)
: Final validation results and conclusionsT-013-002 Risk management record
: Updates to probability values based on clinical evidenceT-007-001 Post-market clinical follow-up plan
: Ongoing monitoring requirements
Production and post-production activities
Once the production process has begun, an evaluation of the production data must be carried out periodically, as well as the data obtained in accordance with the procedures GP-004 Vigilance system
, GP-006 Non-conformity. Corrective and preventive actions
, GP-007 Post-market surveillance
and GP-014 Feedback and complaints
. During this evaluation, we will determine if:
- Previously unrecognized hazards or hazardous situations are present.
- An estimated risk arising from a hazardous situation is no longer acceptable.
- The overall residual risk is no longer acceptable in relation to the benefits of the intended use.
- The generally acknowledged state of the art has changed.
- A re-evaluation should be done to check the impact on previously implemented risk management activities.
- It is necessary to implement new risk control measures.
- It is necessary to establish a different control.
- The results of this evaluation are considered an input for the review of the suitability of the risk management process by top management according to
GP-002 Quality planning
.
Regarding each particular medical device or family of medical devices:
- We will review each medical device risk management file and determine if reassessment of risks and/or assessment of new risks is necessary.
- If a residual risk is no longer acceptable, we will evaluate the impact on previously implemented risk control measures and we will consider it as an input for modification of the medical device.
- We will consider the need for actions regarding medical devices on the market.
- We record any decisions and actions in the risk management file.
Associated documents
GP-002 Quality planning
T-002-004 Management review report
T-005-001 Job description
T-005-002 Personnel card
T-013-001 Risk management plan
T-013-002 Risk Management Record
T-013-003 Risk management report
GP-004 Vigilance system
GP-006 Non-conformity. Corrective and preventive actions
GP-007 Post-market surveillance
GP-014 Feedback and complaints
GP-015 Clinical evaluation
T-015-001 Clinical evaluation plan (CEP)
T-015-003 Clinical evaluation report (CER)
T-007-001 Post-market clinical follow-up plan
Signature meaning
The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix
of the GP-001
, are:
- Author: Team members involved
- Reviewer: JD-003
- Approver: JD-004